Categories: Blog

European data privacy regulation – what makes “personal data”?

Background

In Europe, the first data privacy considerations were brought to the European Council’s attention in 1980 as “The Organization for Economic Co-operation and Development” issued recommendations in this respect. In the document “Recommendations of the Council Concerning Guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data” OECD released seven principles governing data privacy, and most of them were later included in the Data Protection Directive of 1995. These principles were non-binding from the legal point of view, but in 1981, the European Council issued a treaty enforcing signatories to regulate data privacy accordingly.

As the European Union was founded in 1993, it regulated data privacy through Directive 95/46/EC or the “Data Protection Directive”. The primary purpose of the regulation was to enforce the right to privacy of any European individual and principles aimed to protect people while, at the same time, allowing freedom of speech. Various countries in the EU adopted the Directive, but most of the local implementations did not regulate electronic use. Some countries who did extend the Directive and defined proper controls for data processing in electronic environments were Italy and Germany.

In 2016, Directive 95/46 becomes repealed by Directive 2016/679 which amends some key aspects, including the definition of “personal data.”

What makes “personal data”?

In Directive 95/46

Initially “personal data” covered:

“any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;” (art. 2 a).

However, in oncoming jurisprudence, the Court of Justice of the European Union, interpreted personal data in a broader way, including aspects related to a person’s professional life as well. Next, and furthermore, even if the data itself is only an opinion of a third party, about a certain individual, it may still be interpreted as personal data.

Example from the “Handbook on European Data Protection Law”:

“Any kind of information can be personal data provided that it relates to a person. Example: A supervisor’s assessment of an employee’s work performance, stored in the employee’s personnel file, is personal data about the employee, even though it may just reflect, in part or whole, the superior’s personal opinion, such as: “the employee is not dedicated to his work” and not hard facts, such as: “the employee has been absent from work for five weeks during the last six months.””

In the General Data Protection Regulation (EU Regulation 2016/679)

The General Data Protection Regulation adds several amendments aimed to update the former directive and enforce it. Among them, there is one regarding the definition of personal data. The new regulation adds “an online identifier” when enumerating the types of information that fall under the scope of “personal information”, clearly moving the scope to the “digital world”. Also, there are new definitions for terms like “personal data breach” and “biometric data”.

Key points to keep in mind regarding the GDPR update:

  • Personal data means virtually anything related to a person – online/electronic as well;
  • Any controller conducting business in the EU and processing such data is affected, no matter where the actual processing takes place (i.e. outside the EU).
  • Companies larger than 250 employees need to have a Data Protection Officer;
  • There is an obligation to notify authorities in 72 hours after identifying a data breach;
  • There is an obligation to notify affected subjects;
  • There are fines of up to EUR 20M or 4% of the revenue in case of noncompliance.

Liked this article? Follow us on LinkedIn for more, or subscribe to our newsletter.

Good reading for understanding key concepts and following on various interpretations: “Handbook on European Data Protection law”

This post was last modified on August 21, 2023 7:27 am

Calin Ghibu

Technical background: over 15 years experience in testing, developing, researching and managing network security solutions. Currently focusing on information security and IT management. Specialties: Network audit, information security, web security, endpoint security, perimeter security SIEM, legal compliance, competitive intelligence.

Share
Published by
Calin Ghibu
Tags: filemonitor

Recent Posts

The Role of File Monitoring Solutions in Maintaining File Integrity

In the digital world, information is often stored and transferred through files. From the most…

May 12, 2023

Guide to Conducting an Efficient File Access Permissions Audit for Admins and Technology Managers

Introduction Data security is more important than ever in today's fast-paced digital world. One critical…

April 9, 2023

File Integrity Monitoring: What It Is and Why It Matters

Introduction: Cyber threats are a growing concern for businesses and individuals alike. With the increasing…

March 5, 2023

Monitoring Essential Microsoft IIS Server Configuration Files for Enhanced Security

Microsoft Internet Information Services (IIS) is a popular web server that is widely used to…

February 25, 2023

Tracking file changes helps admins solve server configuration problems

File tracking is an important aspect of server administration, and it can help administrators detect…

February 1, 2023

Three reasons why admins should use file monitoring solutions

File monitoring solutions are essential tools for administrators to manage and protect their organizations' data…

January 6, 2023